Processor that permits or restricts access to data stored in a first area of a memory

ABSTRACT

An information processing apparatus includes a first network interface configured to accept access from a terminal on a first network, a second network interface configured to accept access from a terminal on a second network, a hardware processor configured to process access from a terminal on the first network and a terminal on the second network, and a memory. The memory includes a first area configured to store data received from the terminal on the second network. The second network is higher in security level than the first network. Access to data stored in the first area from the terminal on the second network is permitted and access to data stored in the first area from the terminal on the first network is restricted.

The entire disclosure of Japanese Patent Application No. 2018-036512filed on Mar. 1, 2018 is incorporated herein by reference in itsentirety.

BACKGROUND Technological Field

The present disclosure relates to an information processing apparatuswhich processes access from terminals constituting a plurality ofnetworks.

Description of the Related Art

An information processing apparatus which processes access fromterminals constituting a plurality of networks has conventionally beenproposed. For example, Japanese Laid-Open Patent Publication No.2014-049132 discloses “a network switching terminal comprising aswitching processing unit including a first operation system assigned toa first LAN card, a second operation system assigned to a second LANcard, an I/O device coupling unit coupled to a monitor, a keyboard, anda mouse, a switching unit including a first data reception unit whichtransmits and receives first input/output data between the firstoperation system and the I/O device coupling unit and a second datareception unit which transmits and receives second input/output databetween the second operation system and the I/O device coupling unit,and a control unit which, when a first button operates, inactivates thedata reception unit currently being activated, and activates the otherdata reception unit currently being inactivated” (Abstract of JapaneseLaid-Open Patent Publication No. 2014-049132).

Japanese Laid-Open Patent Publication No. 2009-253389 discloses “amethod for authentication of an access point for use which allows accessonly to a designated work point in a company.” According to the method,a person responsible for a system of a company which uses an applicationservice provider (ASP) service appoints a reliable employee as a personin charge of system key unlocking. As the person in charge of system keyunlocking unlocks the system key only during his/her working hours onhis/her workdays with a predetermined system key unlocking terminal, auser client terminal connected to a network to which the system keyunlocking terminal belongs can access an ASP service system.

SUMMARY

In recent years, an information processing apparatus as above may storetherein data received via a plurality of networks. The plurality ofnetworks may be different from one another in security level. Therefore,in some cases, the information processing apparatus should not providedata stored therein in a similar manner to all terminals on theplurality of networks.

Therefore, a technique for providing a terminal with data stored in aninformation processing apparatus in a manner in accordance with asecurity level of a path through which the data was obtained has beendemanded.

To achieve at least one of the abovementioned objects, according to anaspect of the present disclosure, an information processing apparatusreflecting one aspect of the present disclosure comprises a firstnetwork interface configured to accept access from a terminal on a firstnetwork, a second network interface configured to accept access from aterminal on a second network, a hardware processor configured to processaccess from a terminal on the first network and a terminal on the secondnetwork, and a memory. The memory includes a first area configured tostore data received from the terminal on the second network. The secondnetwork is higher in security level than the first network. The hardwareprocessor is configured to permit access to data stored in the firstarea from the terminal on the second network and restrict access to datastored in the first area from the terminal on the first network.

To achieve at least one of the abovementioned objects, according toanother aspect of the present disclosure, an information processingapparatus reflecting another aspect of the present disclosure comprisesa first network interface configured to accept access from a terminal ona first network, a second network interface configured to accept accessfrom a terminal on a second network, a hardware processor configured toprocess access from a terminal on the first network and a terminal onthe second network, and a memory. The memory includes a first areaconfigured to store data received from the terminal on the secondnetwork. The second network is higher in security level than the firstnetwork. The hardware processor is configured to transmit data stored inthe first area to the terminal on the first network as being encryptedand transmit data stored in the first area to the terminal on the secondnetwork as being decrypted.

To achieve at least one of the abovementioned objects, according to yetanother aspect of the present disclosure, a computer readable recordingmedium having a program stored thereon in a non-transitory mannerreflecting yet another aspect of the present disclosure is provided, theprogram being executed by a computer of an information processingapparatus including a first network interface configured to acceptaccess from a terminal on a first network, a second network interfaceconfigured to accept access from a terminal on a second network, and amemory. The memory includes a first area in which data received from theterminal on the second network is stored together with informationrepresenting reception of the data from the terminal on the secondnetwork. The second network is higher in security level than the firstnetwork. The program, by being executed, causes the computer to performaccepting an access; determining whether the accepted access is from theterminal on the first network; and restricting access to data stored inthe first area if the accepted access is from the terminal on the firstnetwork.

To achieve at least one of the abovementioned objects, according to yetanother aspect of the present disclosure, a computer readable recordingmedium having a program stored thereon in a non-transitory mannerreflecting yet another aspect of the present disclosure is provided, theprogram being executed by a computer of an information processingapparatus including a first network interface configured to acceptaccess from a terminal on a first network, a second network interfaceconfigured to accept access from a terminal on a second network, and amemory. The memory includes a first area configured to store datareceived from the terminal on the second network. The second network ishigher in security level than the first network. The program, by beingexecuted, causes the computer to perform transmitting data stored in thefirst area to the terminal on the first network as being encrypted andtransmitting data stored in the first area to the terminal on the secondnetwork as being decrypted.

BRIEF DESCRIPTION OF THE DRAWINGS

The advantages and features provided by one or more embodiments of theinvention will become more fully understood from the detaileddescription given hereinbelow and the appended drawings which are givenby way of illustration only, and thus are not intended as a definitionof the limits of the present invention.

FIG. 1 shows one embodiment of a configuration of a network system.

FIG. 2 schematically shows a hardware configuration of an informationprocessing apparatus.

FIG. 3 shows one example of a screen for setting a security level.

FIG. 4 is a diagram for illustrating a manner of storage of data in amemory.

FIG. 5 is a flowchart of one example of processing performed for storingdata in the memory.

FIG. 6 is a flowchart showing one example of processing for controllingaccess to data stored in the memory.

FIG. 7 is a diagram schematically showing one example of an effect bythe processing in FIG. 6.

FIG. 8 is a flowchart of one example of processing performed fortransmitting data in the memory to a terminal.

FIG. 9 is a diagram for illustrating one example of determination instep S804.

FIG. 10 is a diagram showing one example of a situation at the time oftransmission of data from a terminal to an information processingapparatus in a second embodiment.

FIG. 11 is a diagram showing one example of a screen shown in connectionwith an inquiry.

FIG. 12 is a diagram for illustrating a manner of access to data storedin a data area.

FIGS. 13 and 14 are diagrams each showing one embodiment of aconfiguration of the network system.

FIG. 15 shows a screen for inputting change in security level.

FIG. 16 is a diagram for illustrating an operation by the informationprocessing apparatus when the security level is changed.

FIG. 17 is a diagram showing one example of information transmitted formaking an inquiry about handling of data in a shared BOX.

FIG. 18 is a diagram showing handling of data in another example.

FIG. 19 shows a screen for inputting change in security level.

FIG. 20 is a diagram for illustrating an operation by the informationprocessing apparatus onto data stored in the shared BOX when thesecurity level is changed.

FIG. 21 is a diagram showing one example of information transmitted formaking an inquiry about handling of data in the shared BOX.

FIG. 22 is a diagram for illustrating handling of data when “copy tonetwork 1” is designated.

FIG. 23 is a diagram for illustrating handling of data when “erase” isdesignated.

DETAILED DESCRIPTION OF EMBODIMENTS

Hereinafter, one or more embodiments of the present invention will bedescribed with reference to the drawings. However, the scope of theinvention is not limited to the disclosed embodiments.

The same elements and components in the description below have the samereference characters allotted and their labels and functions are alsothe same. Therefore, description thereof will not be repeated.

First Embodiment

(1. Configuration of Network)

FIG. 1 is a diagram showing one embodiment of a configuration of anetwork system including an information processing apparatus. In theexample in FIG. 1, a network system 500 implements an intra-companynetwork. Network system 500 includes a network 1, a network 2, and aninformation processing apparatus 100 accessible from each of network 1and network 2.

In the example in FIG. 1, information processing apparatus 100 isimplemented by a multi-functional peripheral (MFP). Informationprocessing apparatus 100 may be implemented by any computer so long asit includes a first network interface configured to accept access from aterminal on network 1, a second network interface configured to acceptaccess from a terminal on network 2, a memory configured to store datatransmitted from network 2, and a processor configured to process datastored in the memory.

Network 1 includes a server 210, a router 220, and a personal computer(PC) 230. Server 210 and PC 230 are connected to a public communicationnetwork such as the Internet and information processing apparatus 100with router 220 being interposed.

Network 2 includes a server 310, a router 320, and two PCs 330 and 340.Server 310 and PCs 330 and 340 are connected to information processingapparatus 100 with router 320 being interposed.

Information processing apparatus 100 accepts access from a terminal onnetwork 1 (in the example in FIG. 1, server 210 and PC 230) through afirst network interface card (NIC). Information processing apparatus 100accepts access from a terminal on network 2 (in the example in FIG. 1,server 310 and PCs 330 and 340) through a second NIC. The first NIC isshown as a first NIC 155 in FIG. 2. The second NIC is shown as a secondNIC 156 in FIG. 2. Internet protocol (IP) addresses different from eachother are allocated to the first NIC and the second NIC.

(2. Hardware Configuration of Information Processing Apparatus 100)

FIG. 2 is a diagram schematically showing a hardware configuration ofinformation processing apparatus 100. Referring to FIG. 2, informationprocessing apparatus 100 includes a central processing unit (CPU) 150for controlling information processing apparatus 100, a memory 160 forstoring a program and data, and a control panel 170.

Memory 160 stores a program to be executed by CPU 150 and various typesof data and includes a non-volatile memory. Control panel 170 includes adisplay 171 and a user interface 172. Display 171 is implemented, forexample, by a liquid crystal display and/or a plasma display. Userinterface 172 accepts input of an operation onto information processingapparatus 100 and it is implemented, for example, by a touch sensorand/or hardware buttons.

Information processing apparatus 100 further includes an imageprocessing unit 151, an image forming unit 152, an image reader 153, afacsimile communication unit 154, first NIC 155, and second NIC 156.Image processing unit 151 performs various types of processing includingscaling onto an input image. Image forming unit 152 includes an elementfor forming an image on recording paper such as a photoconductor. Imagereader 153 includes an element for generating image data of a documentsuch as a scanner and generates scan data by scanning a document.Facsimile communication unit 154 includes an element for transmittingand receiving image data through facsimile communication such as amodem.

(3. Setting of Security Level)

Information processing apparatus 100 accepts setting of a security levelfor each of network 1 and network 2. FIG. 3 is a diagram showing oneexample of a screen for setting a security level shown on display 171. Ascreen 390 in FIG. 3 includes buttons 391A and 392A for setting asecurity level of network 1 to “normal” and “high”, respectively. Screen390 also includes buttons 391B and 392B for setting a security level ofnetwork 2 to “normal” and “high”, respectively.

The example in FIG. 3 shows a state that button 391A and button 392B areselected. This state shows that the security level “normal” is set fornetwork 1 and the security level “high” is set for network 2. In theexample in FIG. 3, network 2 is higher in security level than network 1.Depending on a difference in security level, CPU 150 of informationprocessing apparatus 100 has memory 160 store data received from aterminal on network 1 and data received from a terminal on network 2 inareas different from each other.

(4. Manner of Storage of Data in Accordance with Security Level)

FIG. 4 is a diagram for illustrating a manner of storage of data inmemory 160. As shown in FIG. 4, a data area 410 and a data area 420 areset in memory 160. Data area 410 is an area for storing data receivedfrom a terminal on a network of which security level is “normal”. Dataarea 420 is an area for storing data received from a terminal on anetwork of which security level is “high”.

Data area 410 includes a personal BOX 411 for storing data of each ofusers A to F and a shared BOX 412 for storing data shared among theusers. Data area 420 includes a personal BOX 421 for storing data ofeach of users A to D and a shared BOX 422 for storing data shared amongthe users.

In one embodiment, CPU 150 may have data stored in data area 410 withoutbeing encrypted and have data stored in data area 420 as beingencrypted. CPU 150 may have a key for decryption of the encrypted datastored in a prescribed area in memory 160. CPU 150 may transmit the keyto a terminal which is a data sender.

(5. Processing for Storing Data)

FIG. 5 is a flowchart of one example of processing performed by CPU 150for storing data in memory 160. A manner of storage of data by CPU 150will be described with reference to FIG. 5. Processing herein isperformed, for example, by execution of a given program by CPU 150.

In step S500, CPU 150 determines whether or not it has received datafrom a terminal on network 1 or network 2. CPU 150 receives data atfirst NIC 155 from a terminal on network 1. CPU 150 receives data atsecond NIC 156 from a terminal on network 2. CPU 150 has control remainat step S500 until it determines that it has received data (NO in stepS500), and when CPU 150 determines that it has received data (YES instep S500), it allows control to proceed to step S502.

In step S502, CPU 150 checks a sender of the received data. A terminalon network 1 is the sender of data received at first NIC 155. A terminalon network 2 is the sender of data received at second NIC 156.

In step S504, CPU 150 has the received data stored in an area inaccordance with the sender. More specifically, CPU 150 has the receiveddata stored in area 410 when the terminal on network 1 is the sender.Further specifically, when CPU 150 is instructed to have the receiveddata stored in a personal folder, CPU 150 has the data stored in an areaof a corresponding user in personal BOX 411. When CPU 150 is instructedto have the received data stored in a shared folder, CPU 150 has thedata stored in shared BOX 412.

Alternatively, CPU 150 has the received data stored in area 420 when theterminal on network 2 is the sender. Further specifically, when CPU 150is instructed to have the received data stored in a personal folder, CPU150 has the data stored in an area of a corresponding user in personalBOX 421. When CPU 150 is instructed to have the received data stored ina shared folder, CPU 150 has the data stored in shared BOX 422.

Thereafter, CPU 150 has control return to step S500.

(6. Control of Access to Data)

FIG. 6 is a flowchart showing one example of processing for control byCPU 150 of access to data stored in memory 160. Control of access todata by CPU 150 will be described with reference to FIG. 6.

In step S600, CPU 150 determines whether or not it has accepted accessto data in memory 160. CPU 150 has control remain at step S600 until itdetermines that it has accepted access to data (NO in step S600), andwhen CPU 150 determines that it has accepted access (YES in step S600),it allows control to proceed to step S602. Access to data includes arequest for presenting a file stored in a designated storage area. Forexample, access to a prescribed folder includes a request for presentinga file stored in the prescribed folder.

In step S602, CPU 150 determines whether or not access received in stepS600 has originated from a terminal on network 2. When CPU 150determines that the access has originated from a terminal on network 2(YES in step S602), CPU 150 allows control to proceed to step S604. WhenCPU 150 determines that the access has originated from a terminal on anetwork other than network 2 (in the example in FIG. 1, network 1) (NOin step S602), CPU 150 allows control to proceed to step S606.

In step S604, CPU 150 presents data stored in data area 410 and dataarea 420. Thereafter, CPU 150 has control return to step S600.

In step S606, CPU 150 presents data stored in data area 410. Thereafter,CPU 150 has control return to step S600.

As described above with reference to FIG. 6, when CPU 150 accepts accessfrom a terminal on a network high in security level (network 2), itpresents data in both of data area 410 and data area 420 in response tothe access. A user who has accessed memory 160 from the terminal onnetwork 2 thus recognizes presence of both of data in data area 410 anddata in data area 420.

When CPU 150 accepts access from a terminal on a network low in securitylevel (network 1), it presents only data in data area 410 in response tothe access. A user who has accessed memory 160 from the terminal onnetwork 1 can thus recognize presence of data in data area 410 whereasthe user is unable to recognize presence of data in data area 420.

FIG. 7 is a diagram schematically showing one example of an effect bythe processing in FIG. 6. FIG. 7 shows a situation (1) and a situation(2). FIG. 7 shows data without hatching and hatched data as data to bepresented to a user. The data without hatching represents data stored indata area 410 (see FIG. 4). The hatched data represents data stored indata area 420 (see FIG. 4).

The situation (1) shows access by a user A (a user 701) to memory 160from a terminal on network 2. In the situation (1), data stored in bothof area 410 and area 420 among data which can be viewed by user A arepresented.

The situation (2) shows access by user A to memory 160 from a terminalon network 1. In the situation (2), only data stored in area 410 amongdata which can be viewed by user A is presented to user A (user 701) anddata stored in area 420 is not presented.

(7. Transmission of Data Stored in Memory to Terminal)

FIG. 8 is a flowchart of one example of processing performed by CPU 150for transmitting data in memory 160 to a terminal. Transmission of datafrom information processing apparatus 100 to a terminal in networksystem 500 will be described with reference to FIG. 8.

In step S800, CPU 150 accepts a request for transmission of data to aterminal. A request from a certain terminal for downloading data to theterminal represents one example of a request for transmission of data tothe terminal In this case, a destination terminal is a terminal whichhas issued a request for transmission of data. In another example, arequest for transmission of data from a certain terminal to anotherterminal is issued. In this case, a destination terminal is “anotherterminal.”

In step S802, CPU 150 determines whether or not there is a network ofwhich security level is set to “high” in network system 500. When CPU150 determines that there is a network of which security level is set to“high” (YES in step S802), CPU 150 allows control to proceed to stepS804. When CPU 150 determines that there is no network of which securitylevel is set to “high” (NO in step S802), CPU 150 allows control toproceed to step S814. For example, when the security level of network 2is set to “high” as shown in FIG. 1, control proceeds to step S804.

In step S804, CPU 150 determines whether or not a destination terminalis a terminal of which security level is “high”. When CPU 150 determinesthat the destination terminal is a terminal of which security level is“high” (YES in step S804), CPU 150 allows control to proceed to stepS806. When CPU 150 determines that the destination terminal is not aterminal of which security level is “high” (NO in step S804), CPU 150allows control to proceed to step S810.

In step S806, CPU 150 determines whether or not data to be transmittedis data received from a terminal of which security level is “high”. WhenCPU 150 determines that the data to be transmitted is data received froma terminal of which security level is “high” (YES in step S806), CPU 150allows control to proceed to step S808, and otherwise (NO in step S806),it allows control to proceed to step S814.

In the present embodiment, data received from a terminal of whichsecurity level is “high” is stored in an area for the security level“high” (data area 420 in FIG. 4) as described with reference to FIG. 4.Data may be stored in data area 420 as being encrypted.

In step S808, CPU 150 decrypts data in data area 420 and has the datastored in a temporary storage area in memory 160. Thereafter, controlproceeds to step S814.

In step S810, whether or not data to be transmitted is data receivedfrom a terminal of which security level is “high” is determined. WhenCPU 150 determines that the data to be transmitted is data received froma terminal of which security level is “high” (YES in step S810), CPU 150allows control to proceed to step S812, and otherwise (NO in step S810),control proceeds to step S814.

In step S812, CPU 150 transmits a key for decrypting data to betransmitted to a destination terminal Thereafter, control proceeds tostep S814.

In step S814, CPU 150 transmits data to be transmitted to a terminaldesignated as the destination. When CPU 150 decrypts data in step S808,CPU 150 transmits the decrypted data in step S814.

According to the processing in FIG. 8 above, when data to be transmittedis data in data area 420, CPU 150 performs a different proceduredepending on whether or not a destination terminal belongs to a networkof which security level is “high”. More specifically, when a destinationterminal belongs to a network of which security level is “high”, CPU 150transmits data to be transmitted to that terminal as being decrypted(steps S808 and S814).

When a destination terminal belongs to a network at a security levelother than the security level “high”, CPU 150 transmits a key fordecrypting the data to be transmitted to that terminal (step S812), andthereafter transmits the data to be transmitted (which has beenencrypted) to that terminal (step S814). CPU 150 may transmit a key fordecrypting data to be transmitted, subsequent to transmission of thatdata.

FIG. 9 is a diagram for illustrating one example of determination madein step S804 by CPU 150. In the example in FIG. 9, CPU 150 inquires of adestination terminal about a network to which the terminal belongs byusing a simple network management protocol (SNMP) command or a Pingcommand Memory 160 stores setting of a security level of each network innetwork system 500. CPU 150 determines to which network the destinationterminal belongs by using a reply to the inquiry from the senderterminal and determines whether or not the security level of the networkto which each terminal belongs is “high” based on a result ofdetermination. Determination in step S804 is made based on thatdetermination.

Second Embodiment

(1) Storage of Data in Accordance with Setting as to Whether or notAccess is Permitted

In the network system in a second embodiment, CPU 150 of informationprocessing apparatus 100 determines a manner of storage of data receivedfrom a terminal on a network of which security level is “high” inaccordance with an instruction from that terminal.

FIG. 10 is a diagram showing one example of a situation at the time oftransmission of data from a terminal to information processing apparatus100 in the second embodiment. FIG. 10 shows a step (1) and a step (2).

In the step (1), a user 101 transmits data to information processingapparatus 100 (by using a terminal) When a terminal which is a sender ofdata belongs to a network of which security level is “normal”, CPU 150has the data stored in data area 410 (FIG. 4). When the sender belongsto the security level “high”, CPU 150 performs the step (2).

In the step (2), CPU 150 inquires of (a terminal used by) user 101whether or not to permit access to the transmitted data by a terminal ona network of which security level is “normal”.

FIG. 11 is a diagram showing one example of a screen shown in connectionwith the inquiry. A screen 1100 in FIG. 11 includes a button 1101 forpermitting access and a button 1102 for rejecting access. A user of aterminal operates button 1101 or button 1102. CPU 150 determines amanner of storage of transmitted data in accordance with the operatedbutton.

More specifically, when button 1102 is operated (access being rejected),CPU 150 has transmitted data stored in data area 420. CPU 150 may havethe data stored after it encrypts the data.

When button 1101 is operated (access being permitted), CPU 150 hastransmitted data stored in data area 420 and further has the data storedin data area 410. CPU 150 may have the data stored in data area 420after it encrypts the data. When CPU 150 has the data stored in dataarea 410, it has the data stored after it encrypts the data. CPU 150 hasa key for decrypting encrypted data stored in memory 160. CPU 150 maytransmit the key to a terminal which is a sender of data and/or aterminal of a manager of the network.

FIG. 12 is a diagram for illustrating a manner of access to data storedin data area 410 and data area 420. In FIG. 12, data transmitted from anetwork of which security level is “high” is shown as “data A.” Data Ais stored in both of data area 410 and data area 420. In data area 410,data A has been encrypted.

Data area 420 is an area for data received from a terminal of whichsecurity level is “high”. Therefore, though CPU 150 accepts access fromnetwork 2 to data in data area 420, it does not accept access theretofrom network 1. “Data A” in data area 420 is thus accessed throughsecure communication (communication between network 2 and informationprocessing apparatus 100).

Data area 410 is an area for data received from a terminal of whichsecurity level is “normal.” Therefore, CPU 150 accepts access from bothof network 1 and network 2 to data in data area 410. Therefore, “data A”in data area 410 can be accessed also through insecure communication(communication between network 1 and information processing apparatus100).

“Data A” in data area 410 has been encrypted. A user who accesses “dataA” from network 1 separately obtains a key for decrypting data A. Thenetwork system thus ensures security of “data A” and accepts access to“data A” from network 1.

(2) Setting of Security Level of Data

When CPU 150 receives data from a terminal on a network of whichsecurity level is “high”, it may accept designation of the securitylevel of the data. When the security level “high” of that data isdesignated, CPU 150 has the data stored in data area 420 as describedwith reference to FIG. 12, and further has the data stored in data area410 as being encrypted. When the security level “normal” of the data isdesignated, CPU 150 has the data stored in data area 420 and further hasthe data stored in data area 410 without encrypting the data. CPU 150operates as below in response to an instruction to erase the data.

When an instruction to erase data stored in data area 420 is given, CPU150 erases the data stored in data area 420 and data in data area 410corresponding to that data. When an instruction to erase data stored indata area 410 is given, CPU 150 erases only data stored in data area 410and does not erase data stored in data area 420.

Third Embodiment

In a third embodiment, information processing apparatus 100 receives aprint job. The received print job is stored in information processingapparatus 100. The print job stored in information processing apparatus100 may be executed in information processing apparatus 100 or inanother image forming apparatus. When the print job is executed inanother image forming apparatus, the print job is transferred frominformation processing apparatus 100 to another image forming apparatus.

FIG. 13 is a diagram showing one embodiment of a configuration of anetwork system including an information processing apparatus. A networksystem 1300 in FIG. 13 includes network 1 of which security level is setto “normal”, network 2 of which security level is set to “high”, andinformation processing apparatus 100 accessible from network 1 andnetwork 2. Network 1 includes PC 230 and an MFP 100A. Network 2 includesPC 330 and an MFP 100B.

MFPs 100A and 100B are identical in hardware structure to informationprocessing apparatus 100 described with reference to FIG. 2. Inexecuting a print job, in network system 1300, information processingapparatus 100 functions as a master and MFPs 100A and 100B function asslaves.

In network system 1300 in FIG. 13, PC 330 transmits a print job toinformation processing apparatus 100. When CPU 150 of informationprocessing apparatus 100 receives the print job, it has the print jobtemporarily stored in memory 160. Since the print job has beentransmitted from the terminal of which security level is “high”, CPU 150has the print job temporarily saved after it encrypts the print job.When the print job has been transmitted from a terminal of whichsecurity level is “normal”, CPU 150 has the print job temporarily savedwithout encrypting the print job.

Information processing apparatus 100 executes the print job by formingan image in accordance with the print job on recording paper by imageforming unit 152. When CPU 150 receives an instruction to execute theprint job, CPU 150 decrypts the print job encrypted as above andthereafter executes the print job.

When the print job stored in information processing apparatus 100 isexecuted in another image forming apparatus, handling of data in theprint job is different depending on whether the print job is executed inan image forming apparatus on network 1 (of which security level is“normal”) or an image forming apparatus on network 2 (of which securitylevel is “high”). Each case will be described below.

(1) Execution of Print Job by Image Forming Apparatus on Network 2

When a user inputs a prescribed instruction to MFP 100B, a CPU of MFP100B transmits information on the user (for example, a user ID) toinformation processing apparatus 100. In response, CPU 150 ofinformation processing apparatus 100 transmits a list of print jobslinked to the information on the user to MFP 100B.

The CPU of MFP 100B has the list of the print jobs shown on a display ofMFP 100B. The user selects a print job of which execution is desired bythe user from the list. The CPU of MFP 100B transmits informationrepresenting which print job has been selected to information processingapparatus 100.

CPU 150 of information processing apparatus 100 determines whether MFP100B belongs to network 1 or network 2. CPU 150 makes determination, forexample, by using an SNMP command or a Ping command.

In the example in FIG. 13, MFP 100B belongs to network 2. In response,CPU 150 decrypts the print job and transmits the decrypted print job toMFP 100B. Thus, the print job as being decrypted is transmitted to MFP100B. MFP 100B executes the print job.

(2) Execution of Print Job by Image Forming Apparatus on Network 1

When a user inputs a prescribed instruction to MFP 100A, a CPU of MFP100A transmits information on the user (for example, a user ID) toinformation processing apparatus 100. In response, CPU 150 ofinformation processing apparatus 100 transmits a list of print jobslinked to the information on the user to MFP 100A.

The CPU of MFP 100A has the list of the print jobs shown on a display ofMFP 100A. The user selects a print job of which execution is desired bythe user from the list. The CPU of MFP 100A transmits informationrepresenting which print job has been selected to information processingapparatus 100.

CPU 150 of information processing apparatus 100 determines whether theselected print job has been transmitted from a terminal on network 2.CPU 150 determines whether MFP 100A belongs to network 1 or network 2.CPU 150 makes determination, for example, by using an SNMP command or aPing command.

It is assumed here that the selected print job has been transmitted froma terminal on network 2. In the example in FIG. 13, MFP 100A belongs tonetwork 1, not to network 2. In response, CPU 150 transmits a print jobwhich remains encrypted to MFP 100A. The user of MFP 100A obtains a keyfor decrypting the print job and inputs the key to MFP 100A. In responseto input of the key, MFP 100A decrypts the print job and thereafterexecutes the print job.

In the third embodiment described above, information processingapparatus 100 stores a print job received from a terminal on network 2as being encrypted. When the print job is executed in an image formingapparatus on network 2, information processing apparatus 100 decryptsthe print job and thereafter transmits the decrypted print job to theimage forming apparatus. When the print job is executed in an imageforming apparatus on network 1, information processing apparatus 100transmits the print job which remains encrypted to the image formingapparatus.

Fourth Embodiment

A fourth embodiment relates to handling of data uploaded from a networksystem to a server such as a cloud server.

FIG. 14 is a diagram showing one embodiment of a configuration of anetwork system including an information processing apparatus. A networksystem 1400 in FIG. 14 includes network 1 of which security level is setto “normal”, network 2 of which security level is set to “high”, andinformation processing apparatus 100 accessible from network 1 andnetwork 2.

Information processing apparatus 100 can communicate with a cloud server1401. Network 1 includes PC 230. Network 2 includes PC 330.

Information processing apparatus 100 uploads data to cloud server 1401.For example, data generated by a scanning operation by informationprocessing apparatus 100 is uploaded. In the example in FIG. 14, a usersets the security level “high” for the scanning operation by informationprocessing apparatus 100. In response, CPU 150 of information processingapparatus 100 encrypts the data and thereafter uploads the encrypteddata to cloud server 1401. CPU 150 has a key for decrypting the datastored in memory 160.

When cloud server 1401 receives a request for downloading of the data,it transmits information on a terminal which has issued a request fordownloading to information processing apparatus 100.

CPU 150 determines whether or not the terminal which has issued arequest for downloading is a terminal on network 2. For thisdetermination, CPU 150 obtains identification information of theterminal which has issued a request for downloading, for example, fromcloud server 1401. In addition, CPU 150 issues a request foridentification information to each terminal on network 2 by using a Pingcommand or an SNMP command. When the identification information of theterminal which has issued a request for downloading matches withidentification information of any of terminals on network 2, CPU 150determines that the terminal which has issued a request for downloadingis a terminal on network 2. When the identification information of theterminal which has issued a request for downloading does not match withidentification information of any of terminals on network 2, CPU 150determines that the terminal which has issued a request for downloadingis not a terminal on network 2.

When CPU 150 determines that the terminal which has issued a request fordownloading is not a terminal on network 2, it gives a response to thateffect to cloud server 1401. In response to that response, cloud server1401 transmits requested data which remains encrypted to the terminalwhich has issued the request. For example, when terminal 230 has issueda request for downloading, it is determined that the terminal which hasissued the request is not a terminal on network 2. Cloud server 1401transmits data which remains encrypted to terminal 230. A user ofterminal 230 should obtain a decryption key through a different path.The user decrypts the data on terminal 230 by using that key.

When CPU 150 determines that the terminal which has issued a request fordownloading is a terminal on network 2, it gives a response to thateffect to cloud server 1401. In response to that response, cloud server1401 transmits requested data to information processing apparatus 100.CPU 150 of information processing apparatus 100 decrypts the data anduploads again the data to cloud server 1401. Cloud server 1401 transmitsthe decrypted data to the terminal which has issued the request. Forexample, when terminal 330 has issued a request for downloading, it isdetermined that a terminal on network 2 is the terminal which has issuedthe request. Cloud server 1401 transmits the decrypted data to terminal330. A user of terminal 330 can thus recognize contents of the datawithout a decryption key.

In a certain modification, when it is determined that a terminal onnetwork 2 has issued a request for downloading, CPU 150 may directlytransmit decrypted data to the terminal which has issued the request,without uploading again the data to cloud server 1401.

In another modification, when it is determined that a terminal onnetwork 2 has issued a request for downloading, CPU 150 may directlytransmit a decryption key to the terminal which has issued the request.Cloud server 1401 transmits encrypted data to the terminal which hasissued the request. The terminal which has issued the request decryptsthe data transmitted from cloud server 1401 by using the decryption keytransmitted from information processing apparatus 100.

Fifth Embodiment

A fifth embodiment relates to change in security level of a network inthe network system. More specifically, the fifth embodiment relates tohandling of data received from network 2 when the security level ofnetwork 2 is changed from “high” to “normal”. Two examples of handlingof data in such a case will be described below.

(1) Example A (FIGS. 15 to 18)

In the first to fourth embodiments, the security level “high” is set fornetwork 2. This setting is changed to the security level “normal” in anexample A.

FIG. 15 shows a screen for inputting change in security level. CPU 150of information processing apparatus 100 has display 171 show a screen1500 in FIG. 15 in accordance with a given operation. Screen 1500 inFIG. 15 includes buttons 1501A and 1502A for setting the security levelof network 1 to “normal” and “high”, respectively. Screen 1500 includesbuttons 1501B and 1502B for setting the security level of network 2 to“normal” and “high”, respectively.

The example in FIG. 15 shows that button 1501A and button 1501B areselected. This state indicates that the security level “normal” is setfor both of network 1 and network 2.

In the first to fourth embodiments, the security level of network 2 isset to “high”. When the security level of network 2 is changed from“high” to “normal”, CPU 150 moves data of each user in personal BOX 421to a folder of a corresponding user in personal BOX 411.

FIG. 16 is a diagram for illustrating an operation by informationprocessing apparatus 100 when the security level is changed. CPU 150inquires of a manager (a user 1601 in FIG. 16) of network 2 abouthandling of data in shared BOX 422. More specifically, for example, CPU150 transmits inquiry information to a terminal associated with user1601.

FIG. 17 is a diagram showing one example of information transmitted formaking an inquiry about handling of data in shared BOX 422. In responseto the inquiry, a terminal of the manager (user 1601) shows, forexample, a screen 1700 in FIG. 17. Screen 1700 makes an inquiry aboutwhether or not data in shared BOX 422 may be erased. The manager (user1601) answers to the inquiry by operating a “YES” button or a “NO”button in screen 1700.

In one example, when the “YES” button is operated, CPU 150 ofinformation processing apparatus 100 erases data in shared BOX 422. Whenthe “NO” button is operated, CPU 150 discards an instruction to changethe security level of network 2. Namely, the security level “high” ofnetwork 2 is maintained In this case, movement of data from personal BOX421 to personal BOX 411 described above is undone.

FIG. 18 is a diagram showing handling of data in another example. Inanother example, when the “YES” button is operated, CPU 150 erases datain shared BOX 422. Furthermore, CPU 150 specifies a user to which eachpiece of data corresponds. CPU 150 then encrypts each piece of data andhas the data stored in a folder corresponding to each user in shared BOX411. CPU 150 transmits a key for decrypting encrypted data to the userspecified for each piece of data. In this example as well, when the “NO”button is operated, CPU 150 discards an instruction to change thesecurity level of network 2. Namely, the security level “high” ofnetwork 2 is maintained In this case, movement of data from personal BOX421 to personal BOX 411 described above is undone.

(2) Example B (FIGS. 19 to 23)

In an example B, the security level of network 2 is changed from “high”to “normal” and the security level of network 1 is changed from “normal”to “high”.

FIG. 19 shows a screen for inputting change in security level. CPU 150of information processing apparatus 100 has display 171 show a screen1900 in FIG. 19 in accordance with a given operation. Screen 1900includes buttons 1901A and 1902A for setting the security level ofnetwork 1 to “normal” and “high”, respectively. Screen 1900 includesbuttons 1901B and 1902B for setting the security level of network 2 to“normal” and “high”, respectively.

A user inputs the security level of each of network 1 and network 2 inscreen 1900. In the example in FIG. 19, button 1902A of buttons 1901Aand 1902A is selected in screen 1900. The security level “high” is thusinput for network 1. In the example in FIG. 19, button 1901B of buttons1901B and 1902B is selected in screen 1900. The security level “normal”is thus input for network 2.

When the security level of network 2 is changed from “high” to “normal”,CPU 150 moves data of each user in personal BOX 421 to a folder of acorresponding user in personal BOX 411.

FIG. 20 is a diagram for illustrating an operation by informationprocessing apparatus 100 onto data stored in shared BOX 422 when thesecurity level is changed. CPU 150 inquires of a manager (a user 2001 inFIG. 20) of network 2 about handling of data in shared BOX 422. Morespecifically, for example, CPU 150 transmits inquiry information to aterminal associated with user 2001.

FIG. 21 is a diagram showing one example of information transmitted formaking an inquiry about handling of data in shared BOX 422. For example,a screen 2100 in FIG. 21 is shown on a terminal of the manager (user2001). Screen 2100 includes a button (buttons 2101, 2102, and 2103) foraccepting designation of any of three menus of “copy to network 1,”“erase”, and “cancel” as to handling of data in shared BOX 422. Themanager (user 2001) answers to the inquiry by operating any of buttons2101, 2102, and 2103 in screen 2100.

FIG. 22 is a diagram for illustrating handling of data when button 2101is operated (when “copy to network 1” is designated). As shown in FIG.22, CPU 150 copies data of each user in personal BOX 421 to a folder ofeach corresponding user in personal BOX 411. CPU 150 copies data inshared BOX 422 to shared BOX 412. Data in personal BOX 421 and data inshared BOX 422 are copied to personal BOX 411 and shared BOX 412,respectively, without being encrypted. Thereafter, data in personal BOX421 and data in shared BOX 422 are erased.

FIG. 23 is a diagram for illustrating handling of data when button 2102is operated (when “erase” is designated). In FIG. 23, a data area 430 isfurther set in memory 160. Data area 430 is a storage area for a networkof which security level is “high” similarly to data area 420. In theexample in FIG. 23, the network system includes a network of whichsecurity level is “high” other than network 1 and network 2. Data area430 is an area for storing data received from another network. Data area430 includes a personal BOX 431 which stores data for each user and ashared BOX 432 for storing data shared among users.

As shown in FIG. 23, CPU 150 copies data of each user in personal BOX421 to a folder of each corresponding user in personal BOX 431 as beingencrypted. When the security level of network 2 is changed from “high”to “normal”, CPU 150 has data received so far from a terminal on network2 stored in an area for storage of data received from another network ofwhich security level is “high”. Thereafter, CPU 150 erases data inpersonal BOX 421. CPU 150 erases data in shared BOX 422 without copyingthe data to another area.

Although embodiments of the present invention have been described andillustrated in detail, the disclosed embodiments are made for thepurposes of illustration and example only and not limitation. The scopeof the present invention should be interpreted by terms of the appendedclaims

What is claimed is:
 1. An information processing apparatus comprising: afirst network interface configured to accept access from a terminal on afirst network; a second network interface configured to accept accessfrom a terminal on a second network; a hardware processor configured toprocess access from the terminal on the first network and the terminalon the second network; and a memory, the memory including a first areaconfigured to store data received from the terminal on the secondnetwork, the second network being higher in security level than thefirst network, and the hardware processor being configured to permitaccess to data stored in the first area from the terminal on the secondnetwork, and restrict access to data stored in the first area from theterminal on the first network.
 2. The information processing apparatusaccording to claim 1, wherein the hardware processor is configured toencrypt the data received from the terminal on the second network and tohave the data stored in the first area.
 3. The information processingapparatus according to claim 1, wherein the memory further includes asecond area, and the hardware processor is configured to permit accessto data stored in the second area from the terminal on the firstnetwork, and when the terminal on the first network is permitted to viewthe data received from the terminal on the second network, have the datastored in the first area without encrypting the data and have the datastored in the second area as being encrypted.
 4. The informationprocessing apparatus according to claim 1, further comprising an imageforming unit configured to execute a print job, wherein the hardwareprocessor is configured to when the hardware processor receives data ofthe print job from the terminal on the second network, have the data ofthe print job stored in the memory as being encrypted, and decrypt thedata when the image forming unit executes the print job.
 5. Theinformation processing apparatus according to claim 1, wherein thehardware processor is configured to when the hardware processor receivesdata of a print job from the terminal on the second network, have thedata of the print job stored in the memory as being encrypted, when animage forming apparatus on the first network executes the print job,transmit data of the print job to the image forming apparatus as beingencrypted, and when an image forming apparatus on the second networkexecutes the print job, transmit data of the print job to the imageforming apparatus on the second network as being decrypted.
 6. Theinformation processing apparatus according to claim 1, wherein thehardware processor is configured to upload data to a cloud server asbeing encrypted, determine whether a terminal which requests theuploaded data is a terminal on the second network in response to arequest from the cloud server, and when the terminal which requests thedata is the terminal on the second network, decrypt the data andtransmit the decrypted data to the cloud server or an access source, ortransmit a key for decryption of the data to the access source.
 7. Theinformation processing apparatus according to claim 1, wherein when asecurity level of the second network is changed to a lower securitylevel, the hardware processor is configured to have data in the firstarea stored as being encrypted in an area in the memory corresponding tothe changed security level.
 8. The information processing apparatusaccording to claim 1, wherein when a security level of the secondnetwork is changed to a lower security level, the hardware processor isconfigured to have data in the first area stored in an area in thememory corresponding to the security level before change.
 9. Aninformation processing apparatus comprising: a first network interfaceconfigured to accept access from a terminal on a first network; a secondnetwork interface configured to accept access from a terminal on asecond network; a hardware processor configured to process access fromthe terminal on the first network and the terminal on the secondnetwork; and a memory, the memory including a first area configured tostore data received from the terminal on the second network, the secondnetwork being higher in security level than the first network, and thehardware processor being configured to transmit data stored in the firstarea to the terminal on the first network as being encrypted, andtransmit data stored in the first area to the terminal on the secondnetwork as being decrypted.
 10. The information processing apparatusaccording to claim 9, wherein the memory further includes a second area,and the hardware processor is configured to permit access to data storedin the second area from the terminal on the first network, and when theterminal on the first network is permitted to view the data receivedfrom the terminal on the second network, have the data stored in thefirst area without encrypting the data and have the data stored in thesecond area as being encrypted.
 11. The information processing apparatusaccording to claim 9, further comprising an image forming unitconfigured to execute a print job, wherein the hardware processor isconfigured to when the hardware processor receives data of the print jobfrom the terminal on the second network, have the data of the print jobstored in the memory as being encrypted, and decrypt the data when theimage forming unit executes the print job.
 12. The informationprocessing apparatus according to claim 9, wherein the hardwareprocessor is configured to when the hardware processor receives data ofa print job from the terminal on the second network, have the data ofthe print job stored in the memory as being encrypted, when an imageforming apparatus on the first network executes the print job, transmitdata of the print job to the image forming apparatus as being encrypted,and when an image forming apparatus on the second network executes theprint job, transmit data of the print job to the image forming apparatuson the second network as being decrypted.
 13. The information processingapparatus according to claim 9, wherein the hardware processor isconfigured to upload data to a cloud server as being encrypted,determine whether a terminal which requests the uploaded data is aterminal on the second network in response to a request from the cloudserver, and when the terminal which requests the data is the terminal onthe second network, decrypt the data and transmit the decrypted data tothe cloud server or an access source, or transmit a key for decryptionof the data to the access source.
 14. The information processingapparatus according to claim 9, wherein when a security level of thesecond network is changed to a lower security level, the hardwareprocessor is configured to have data in the first area stored as beingencrypted in an area in the memory corresponding to the changed securitylevel.
 15. The information processing apparatus according to claim 9,wherein when a security level of the second network is changed to alower security level, the hardware processor is configured to have datain the first area stored in an area in the memory corresponding to thesecurity level before change.
 16. A non-transitory computer readablerecording medium having a program stored thereon, the program beingexecuted by a computer of an information processing apparatus includinga first network interface configured to accept access from a terminal ona first network, a second network interface configured to accept accessfrom a terminal on a second network, and a memory, the memory includinga first area in which data received from the terminal on the secondnetwork is stored together with information representing reception ofthe data from the terminal on the second network, the second networkbeing higher in security level than the first network, the program, bybeing executed, causing the computer to perform: accepting an access tothe information processing apparatus for one of the terminal on thefirst network or the terminal on the second network; determining whetherthe accepted access is for the terminal on the first network; andrestricting access to data stored in the first area if the acceptedaccess is for the terminal on the first network.
 17. A non-transitorycomputer readable recording medium having a program stored thereon, theprogram being executed by a computer of an information processingapparatus including a first network interface configured to acceptaccess from a terminal on a first network, a second network interfaceconfigured to accept access from a terminal on a second network, and amemory, the memory including a first area configured to store datareceived from the terminal on the second network, the second networkbeing higher in security level than the first network, the program, bybeing executed, causing the computer to perform: transmitting datastored in the first area to the terminal on the first network as beingencrypted, and transmitting data stored in the first area to theterminal on the second network as being decrypted.